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Abstract 

This work presents three increasingly expressive Dynamic Logics in 
which the programs are CCS processes (sCCS-PDL, CCS-PDL and XCCS- 
PDL) . Their goal is to reason about properties of concurrent programs and 
systems described using CCS. In order to accomplish that, CCS's opera- 
tors and constructions are added to a basic modal logic in order to create 
dynamic logics that are suitable for the description and verification of 
properties of communicating, concurrent and non-deterministic programs 
and systems, in a similar way as PDL is used for the sequential case. We 
provide complete axiomatizations for the three logics. Unlike Peleg's Con- 
current PDL with Channels, our logics have a simple Kripke semantics, 
complete axiomatizations and the finite model property. 

Keywords: Dynamic Logic, Concurrency, Kripke Semantics, Axiomatization, 
Completeness 

1 Introduction 

Propositional Dynamic Logic (PDL) [7] plays an important role in formal speci- 
fication and reasoning about sequential programs and systems. PDL is a multi- 
modal logic with one modality (tt) for each program tt. The logic has a set of 
basic programs and a set of operators (sequential composition, iteration and 
nondeterministic choice) that are used to inductively build the set of non-basic 
programs. PDL has been used to describe and verify properties and behaviour 
of sequential programs and systems. Correctness, termination, fairness, liveness 
and equivalence of programs are among the properties that one usually wants 
to verify. A Kripke semantics can be provided, with a frame T = (VF, i?7r), 
where is a non-empty set of possible program states and, for each program 
TT, i?7r is a binary relation on W such that (s, t) G K-r: if and only if there is a 
computation of tt starting in s and terminating in t. 

The Calculus for Communicating Systems (CCS) is a well known process 
algebra, proposed by Robin Milner [H], for the specification of communicat- 
ing concurrent systems. It models the concurrency and interaction between 
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processes through individual acts of communication. A pair of processes can 
communicate through a common channel and each act of communication con- 
sists simply of a signal being sent at one end of the channel and immediately 
being received at the other. A CCS specification is a description (in the form 
of algebraic equations) of the behaviour expected from a system, based on the 
communication events that may occur. As in PDL, CCS has a set of operators 
(action prefix, parallel composition, nondeterministic choice and restriction on 
acts of communication) that are used to inductively build process specifications 
from a set of basic actions. Iteration can also be described through the use of 
recursive equations. 

This work presents three increasingly expressive Dynamic Logics in which 
the programs are CCS processes (sCCS-PDL, CCS-PDL and XCCS-PDL). Their 
goal is to reason about properties of concurrent programs and systems described 
using CCS. 

There are, in the literature, some logics that make use of CCS or other 
process algebras. However, they use these process algebras as a language for 
the description of frames and models, while using standard modal logics for 
the description of properties (see, for example, [T^] and [Ml). The logics that 
we develop in the present work use CCS in a distinct way. Its operators and 
constructions are added to a basic modal logic in order to create dynamic logics 
that are suitable for the description and verification of properties of commu- 
nicating, concurrent and non-deterministic programs and systems, in a similar 
way as PDL is used for the sequential case. 

Thus, it should be emphasized that the contribution of this work is on the 
field of dynamic logics and not on the field of process algebras. From process 
algebras, we just borrow a set of operators that are suitable for the description 
of communication and concurrency. We use these operators because they have 
a well-established theory behind them and we can use many of its concepts and 
results to help us build our logics. 

Our paper falls in the broad category of works that attempt to generalize 
PDL and build dynamic logics that deal with classes of non-regular programs. 
As examples of other works in this area, we can mention TO] , [9^ and [11] , that 
develop decidable dynamic logics for fragments of the class of context-free pro- 
grams and [IS] , [H] and [5] , that develop dynamic logics for classes of programs 
with some sort of concurrency. Our logics have a close relation to two logics in 
this last group: Concurrent PDL with Channels [E] and the logic developed in 
[6] . Both of these logics are expressive enough to represent interesting properties 
of communicating concurrent systems. However, neither of them has a simple 
Kripke semantics. The first has a semantics based on super-states and super- 
processes and its satisfiability problem can be proved undecidable (in fact, it is 
Hj-hard). Also, it does not have a complete axiomatization [IS]. The second 
makes a semantic distinction between final and non-final states, which makes 
its semantics and its axiomatization rather complex. On the other hand, due to 
the use of the CCS mechanisms of communication and concurrency, our logics 
have a simple Kripke semantics, simple and complete axiomatizations and the 
finite model property. 

We choose to base our logics in the mechanisms of communication and con- 
currency of CCS, instead of some other process algebra, for two reasons. First, 
CCS is built with the philosophy that only those operators that are essential 
to the description of the basic behaviours of communication and concurrency 
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should be included as primitives in the language, while the operators and be- 
haviours of greater complexity should be derived from the basic ones. Using a 
small language like CCS, where only the more basic constructions are present, 
we can study in details what are the problems that may arise when we try to use 
its operators to build a dynamic logic and what operators and constructions we 
need to add or remove to correct these problems. Second, the development of 
CCS-based dynamic logics can be used as a natural stepping stone to the devel- 
opment of dynamic logics based on the 7r-Calculus [13j , a very powerful process 
algebra that is able to describe not only non-determinism and concurrency, but 
also mobility of processes. The 7r-Calculus can also be used to encode some pow- 
erful programming paradigms, as object-oriented programming and functional 
programming (A-Calculus) [13j . 

The rest of this paper is organized as follows. In section [21 we introduce the 
necessary background concepts: Propositional Dynamic Logic and the Calcu- 
lus for Communicating Systems. Our first logic (sCCS-PDL), together with a 
complete axiomatic system, is presented in section [3l In this logic, we do not 
use constants or restriction in the CCS processes. In section [H we present our 
second logic (CCS-PDL), in which we allow the presence of constants in the 
CCS processes. We also give an axiomatization for this second logic and prove 
its completeness using a Fischer-Ladner construction. The third logic (XCCS- 
PDL), together with a complete axiomatization for it, is presented in section 
[5l In this logic, we extend CCS with some extra operators, which allows us to 
solve some issues that appear in the previous logics. Finally, in section [HI we 
state our final remarks. 

In the preliminary version of this work ([2]), the contents of section [5] are 
completely absent and the concepts and proofs in section [4] are presented with 
far less details. Besides that, most of the motivations, discussions and detailed 
explanations that we present in this paper, trying to show what guided our 
choices in the construction of these logics, are also absent from [2]. 

2 Background 

This section presents two important subjects. First, we make a brief review of 
the syntax and semantics of PDL. Second, we present the process algebra CCS 
together with some useful concepts, properties and results from its theory. We 
do not assume a familiarity with CCS, since process algebras are by no means a 
universally studied topic among (modal) logicians. We introduce here all that 
is necessary for our presentation in the next sections, trying to make this work 
as self-contained as possible. 

2.1 Propositional Dynamic Logic 

In this section, we present the syntax and semantics of PDL. 

Definition 1. The PDL language consists of a set $ of countahly many proposi- 
tion symbols, a set 11 of countably many basic programs, the boolean connectives 
and A, the program constructors U and * and a modality (tt) for every 
program tt. The formulas are defined as follows: 

ip -.-.^ p \ T \ ^ip \ (fi A (p2 \ {t')(P, with TT :■= a\ tti]tt2 | tti U 7r2 | tt* , 
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where p G $ and a G 11. 

In all the logics that appear in this paper, we use the standard abbreviations 

_L = ^T, ipV 4> = -^{^(p A ^4>), ip (j) = -^{ip A -^(j)) and [Tr]ip = -^{TT)^ip. 

Definition 2. A frame for PDL is a tuple T = (W^, i?a, R-ix) where 

• W is a non-empty set of states; 

• Ra is a binary relation for each basic program a; 

• i?7r is a binary relation for each non-basic program n, inductively built 
using the rules R-ki;-k2 = R-ki ° Rtt^j -R7riU7r2 = Rtti U Rtt2 and R^^* = i?*, 
where i?* denotes the reflexive transitive closure of R-^ . 

Definition 3. A model for PDL is a pair A4 — {J-,V), where T is a PDL 
frame and "V is a valuation function V : <f> i— s- 2^. 

The semantical notion of satisfaction for PDL is defined as follows: 

Definition 4. Let A4 = V) be a model. The notion of satisfaction of a 
formula ip in a model M. at a state w, notation A4,u) Ih ip>, can be inductively 
defined as follows: 

• M,w \\- p iff w € V(p); 

• A4,w \\- T always; 

• M,w\\ — 'p> iff M,w \f p; 

• Al, w Ih (^1 A (/32 *if A^, w Ih iy9i and Jv[,w Ih p2; 

• M,w\\- {tt)p iff there is w' G W such that wR-^w' and M,w' Ih (p. 

2.2 Calculus for Communicating Systems 

The Calculus for Communicating Systems (CCS) is a well known process alge- 
bra, proposed by Robin Milner [12j , for the specification of communicating con- 
current systems. It models the concurrency and interaction between processes 
through individual acts of communication. A CCS specification is a description 
(in the form of algebraic equations) of the behaviour expected from a system, 
based on the communication events that may occur. For a broad introduction 
to CCS, 12J can be consulted. 

In CCS, a pair of processes can communicate through a common channel 
and each act of communication consists simply of a signal being sent at one end 
of the channel and immediately being received at the other. 

Let Af = {a, 6, c, . . .} be a set of names. Each channel in a CCS specification 
is labelled by a name. The labels of the channels are also used to describe 
the communication actions (sending and receiving signals) performed by the 
processes, as is shown below. Besides these communication actions, CCS has 
only one other action: the silent action, denoted by t, used to represent any 
internal action performed by any of the processes that does not involve an act 
of communication (e.g.: a memory update). 

There are two possible semantics for the r action in CCS: it can be regarded 
as being observable, in the same way as the communication actions, or it can 
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be regarded as being invisible. We adopt the first one, since it is more generic. 
In our logical formalism, we are able to represent the second semantics as a 
particular case of the first. 

Definition 5. In our presentation of CCS, process specifications can be built 
using the following operations: 

P::=a\ a.P \ a.A | Pi + P2 | P1IP2 | P\i, 

with 

a ::— a \a \ t, 

where a € J\f, L <Z J\f and every constant A has a unique defining equation 

A Pa, where Pa is a process specification. In this work, every time that a 
process is linked to a constant A through a defining equation, it will be denoted 
byPA- 

Originally, CCS also defines a null process, denoted by 0. It represents the 
process that is unable to perform any actions. However, because of its somewhat 
loose definition, which fails to differentiate between a deadlock and a successful 
termination (unlike other process algebras, as ACP [8] for instance, in which the 
deadlocked process and the terminated process are different), its use would bring 
a serious inconvenience to the semantics of our first two logics: the semantics 
would not be fully compositional. This is shown in details in the next section. 
Because of that, we drop this null process until our third logic, when we extend 
CCS with new operators and partially redefine its semantics, obtaining a null 
process with a much better algebraic behaviour. To completely drop the null 
process, we must also drop the restriction operator, as it may be used to define 
such a process (e.g. a\{a}). Hence, the restriction operator will also only be 
present in our third logic. 

The prefix operator (.) denotes that the process will first perform the action 
a and then behave as P or A. The summation (or nondeterministic choice) 
operator (+) denotes that the process will make a nondeterministic choice to 
behave as either Pi or Pj- The parallel composition operator (|) denotes that the 
processes Pi and P2 may proceed independently or may communicate through a 
common channel. Finally, the restriction operator (\) denotes that the channels 
in L are only accessible inside P. Iteration in CCS is modeled through recursive 

def 

defining equations, i.e., equations A = Pa where A occurs in Pa- 

The action a, called input action^ denotes that the process receives a signal 
through the channel labelled by a. The action a, called output action, denotes 
that the process sends a signal through the channel labelled by a. Finally, r 
denotes the silent action. 

We write P P' to express that the process P can perform the action a 
and after that behave as P'. We write P ^ io express that the process P 
successfully finishes after performing the action a (a notation borrowed from 
ACP). A process only finishes when there is not any possible action left for it 

to perform. For example, (5 ^ . When a process finishes inside a parallel 
composition, we write P instead of P\\/ . We also write ^ instead of \/\L and 
\/\\/ . We define the set L as L = {a : a g L}. In table [U we present the 
semantics for the operators based on this notation. In this table, P, Q and Pa 
are process specifications, while P' and Q' are process specifications or ^ . 
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Table 1: Transition Relations of CCS 



a V 


a.P A P 




P^P' 




a.A^PA 


P+Q^P' 


P+Q-^Q' 






P^P'.Q^Q' 


P-^P' ,a^LuL 




P\Q^P'\Q 


P\Q^P\Q' 


P\Q^P'\Q' 


P\L-^P'\L 



In order to motivate the use of CCS, we present a simple example of the 
use of the language below. Here, we are still using CCS outside of the logical 
formalisms that are presented in the next sections. 

Example 1 ( |12U17| 1. Consider a vending machine where one can put coins of 
one or two euro and buy a little or a big chocolate bar. After inserting the coins, 
one must press the little button for a little chocolate or the big button for a big 
chocolate. The machine is also programmed to shutdown on its own following 
some internal protocol (represented by a t action). A CCS term describing the 
behaviour of this machine is the following: 

V — le.little.collect.A + le.le.big. collect. A + 2e.big .collect. A 



A — le.little.collect.A + le.le.big.collect.A + 2e.big.collect.A + T 

Let us now suppose that Chuck wants to use this vending machine. We could 
describe Chuck as 



C = le.little. collect + le.le.big. collect + 2e. big. collect. 

Notice that Chuck does not have an iterative behaviour. Once he collects the 
chocolate, he is done. Now, if we want to model the process of Chuck buying 
a chocolate from the vending machine, we could write (V^|C)\L, where L = 
{le, 2e, little, big, collect}. 

Definition 6. Let V be the set of all possible process specifications. A set 
Z QV y.V is a strong bisimulation if [P, Q) (z Z implies the following: 

• If P P' and P' <E V, then there is Q' <E V such that Q Q' and 

{P',Q')eZ; 

• If Q ~* Q' ^''^d Q' £ V, then there is P' £ V such that P P' and 

{P', Q') e Z; 

• P \J if and only if Q —* \/ . 

Definition 7. Two process specifications P and Q are strongly bisimilar ( or 
simply bisimilar/, denoted by P ^ Q, if there is a strong bisimulation Z such 
that {P, Q) e Z. 

Now, we introduce the Expansion Law, which is very important in the defi- 
nition of the semantics of our logics in the next sections and in their axiomati- 
zations. We present a particular case of the Expansion Law, which is suited to 
our needs. The most general case of the Expansion Law is presented in [12j . 

Definition 8. We say that a process is unrestricted if it has no occurrences of 
the \ operator. 



6 



Theorem 1 (Expansion Law (EL)). Let P = Pi \ P2, where P is unrestricted. 
Then 

P~ ^ a.iPi\P,)+ ^ /?.(Pi|F^)+ 

Pi^Pi p^^p^ ^e^- 

where A-, = {(Pi' | P^) : Pi ^ Pi and P2 ^ P2, for some a G A/"} U {{P[ \ 
P2) : Pi P[ and P2 for some a G A/"}. We denote the right side of 

this hisimilarity by Exp{P). 

2.3 Action Sequences and Possible Runs 

In this section, we introduce the key concept of finite possible runs of a process. 
This concept plays a central role in the semantics of our logics. 

Definition 9. We use the notation 'a to denote a potentially infinite sequence 
of actions ai.a2- ■■■■ .«„(.■■■) (the empty sequence is denoted by ~e). The 
empty sequence follows the rule ~a .~e = ~e To. = "a , for all Tx. We denote the 
i-th term of the sequence 7x by {'a )i. 

Definition 10. We say that a finite sequence of actions P is a prefix of ~a if 
there is a non-empty sequence A such that "a = /3 . A . // /3 is a prefix of "a , 
we write /3 C "a . 

Definition 11. We write P ^ P' to express that the process P may perform 

the sequence of actions "a and after that behave as P' . We write P ^ to 
express that the process P may successfully finish after performing the sequence 
of actions a (this, in particular, implies that a is finite). 

Definition 12. We define the set of finite possible runs of a process P, denoted 
by UjiP), asTlf{P) = {-^ -.P^ V}. 

We want to define semantics for our logics that only take into account the 
finite possible runs of the processes, i.e., situations in which the processes suc- 
cessfully finish. Thus, we present some useful results about finite possible runs. 

Definition 13. Let R and S be sets of fi,nite sequences of actions. We can 

define the following operations on these sets: 

L RoS= {~a^ ■.~a € R andl3 e S}; 

2. RU S = {'a : 'a e R or 'a e S} ; 

3. R° = {'s}, i?" = i?oi?"-i(n > 1); 

4. R* = UneN-^"- 

Lemma 1. If P Q, then P ^ \/ if and only if Q ^ \/. 

Proof. We prove this by induction on the length n of "a . If n = 0, then 'a =~e 
and neither P nor Q may successfully finish without executing any action. If 

n = 1, then 7? = a, for some action a. Then, P ^ P ^J. By the 

hypothesis that P~(3,P-^V<^<5-^-\/. Finally, Q V <^ <5 ^ 
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Suppose that the theorem is true for aU n < fc. Let c? be a sequence of 
length fc. Let a be the first action of the sequence and let /3 be a sequence of 
length fc — 1 such that ~a ^ a. P . Then, P ^ -y/ if and only if there is a process 

P' such that P ^ P' and P' 4> But if P A F' and P - Q, then there is 
a process Q' such that Q ^ Q' and P' ~ Q'. Now, /? is a sequence of length 

shorter than fc, so by the induction hypothesis, as P' ~ Q' and P' 4» then 

Q' 4> V- This means that Q ^, proving the theorem. □ 

Theorem 2. //P - Q, then Tz}{P) = Tz}{Q). 

Proof. Suppose that 7? G TZf{P). Then, P ^ ^. As P ^ Q, this implies, by 
lemma [U that Q ^ y/, which means that "a G Tlf{Q). Thus, Tlf{P) C TZ f{Q). 
The proof that TZf{Q) C TZ f{P) is entirely analogous. □ 

3 sCCS-PDL 

This section presents our first CCS-Based Dynamic Logic. In this logic, all the 
CCS processes that appear do not use constants or restriction. We call this 
logic Small CCS-PDL or sCCS-PDL. Our goal here is to introduce a simple 
logic and discuss some of the issues concerning the axioms and the relational 
interpretation of the formulas. 

3.1 Language and Semantics 

In this section, we present the syntax and semantics of sCCS-PDL. 

Definition 14. The sCCS-PDL language consists of a set $ of countably many 
proposition symbols, a set Af of countably many names, the silent action r, the 
boolean connectives ^ and A, the CCS operators ., + and \ and a modality (P) 
for every process P. The formulas are defined as follows: 

ip -.-.^ p \ T \ ^ip \ ipi A ip2 \ {P)v, with P::=a\ a.P | Pi + P2 | P1IP2, 
where p £ ^ and Q;e7VuA7'u{r}. 

Definition 15. A frame for sCCS-PDL is a tuple J- = (W, {Pa}) where 

• W is a non-empty set of states; 

• Pq, is a binary relation for each basic action a G A/'U A/'U {r}. 

Definition 16. A model for sCCS-PDL is a pair A4 ~ (JF, V), where T is a 
sCCS-PDL frame and V is a valuation function V : <f> 2^ . 

We now define the semantical notion of satisfaction for sCCS-PDL as follows: 

Definition 17. Let A4 = V) be a model. The notion of satisfaction of a 
formula ip in a model M at a state w, notation A4,w Ih ip, can be inductively 
defined as follows: 
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• M,w \\- p ijf w e V(p); 

• A4,w \^ T always; 

• M,w\\ — 'if iff M,w \y- (p; 

• M,w \\- ifii A ip2 "iff -M^w \\- ipi and A4,w \\- ip2; 

• M,w Ih {P)ip iff there is a finite path {vq,vi, . . . , n > 1, such that 
Vq — w, Ai,Vn II" f and there is ~a ^ TZf{P) of length n such that 
{vi^i,Vi) e R/s if and only if {~a)i — (3, for 1 < i < n. We say that 
such a matches the path (vq, ...,««). 

li M,w Ih if for every state w, we say that tp is globally satisfied in the model 
A4, notation A4 Ih (p. If ip is globaUy satisfied in all models of a frame 
we say that (p is valid in notation J-' Ih p. Finally, if (p is valid in all frames, 
we say that tp is valid, notation Ih (p. Two formulas (p and ijj are semantically 
equivalent if Ih <-!■ ^. 

As mentioned in the previous section, there are two possible semantics for 
the T action in CCS: it can be regarded as being observable or as being invisible. 
In our logics, we adopt the first one, since we are able to represent the second 
semantics as a particular case of the first. In fact, to do that, the only thing 
that is necessary is to force, in the frames under consideration, to be the 
relation Rr = {{w,w) : w & W}. 

Theorem 3. n}{P) = n}{Q) if and only ifh {P)p ^ {Q)p. 

Proof (^) Suppose that n}{P) =Tz}iQ), but 1/ {P)p ^ {Q)p. Then, we may 
assume, without loss of generality, that there is a model A4 and a state vq in this 
model such that M,vo Ih {P)p (*), but M,vq 1/ (Q)p (**). By definition [T71 (*) 
implies that there is a path {vq,vi, . . . ,v„), n > 1, in such that M,v„ Ih p 
(***) and there is "a G n}{P) that matches this path. But as TZfiP) = TlfiQ), 
then ~a G n}{Q). This and (***) imply, by definition [HI that M,vq Ih {Q)p, 
contradicting (**). 

(<;=) Suppose that Ih {P)p ^ {Q)p (*), but iVfiP) ^ TZfiQ). Then, we may 
assume, without loss of generality, that there is 7? such that c? G TZf{P), but 
~a ^ TZf{Q). Let us build a frame T that consists solely of a path [vq, . . . , f„), 
n > 1, such that Ra — : 1 < i < n and a is the i-th term of a}. 

Let M — (JF, V), such that u„ e V(p) and Vi ^ V(p), 1 < i < n. Then, we 

have a path {vq, . . . such that M,Vn Ih p and ~a G TZf{P) matches this 
path. By definition [T71 M,vo Ih {P)p- However, ~a ^ TZf{Q), so {vq, . . . ,Vn) 
is not matched by any sequence in TZf{Q). Besides that, there is no other 
path (wq, . . . ,Vm), TO > 1, in such that M,Vm II" P- Thus, by definition \17\ 
M,vq 1/ {Q)p, which contradicts (*). □ 

Corollary 1. //F - Q, then Ih {P)p ^ {Q)p. 

Proof. It follows directly from theorems [U and [31 □ 

We present some equalities between sets of finite possible runs that are useful 
to the soundness proof of our axiomatization and to show why the null process 
is problematic. 
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Theorem 4. The following set equalities are true: 



1. Ufia) = {a}; 

2. TZf{a.P)^TZf{a)on}iP); 

3. TZf{Pi+P2)^nf{Pi)UTZf{P2). 

Proof. The proof is straightforward from tabic [T] □ 
Theorem 5. The following formulas are valid: 

1. {a.P)p^ {a){P)p 

2. {Pl+P2)p^ {Pl)pV {P2)p 

Proof. We only provide the proof for the first formula. The proof for the second 
formula follows by an analogous line of reasoning, using the third equality in 
theorem m instead of the second one. 

(=J>) Suppose that, for some model M and some state w in this model, 
A4,w Ih {a.P)p. Then, by definition 1171 there is a finite path {vq,vi, . . . ,i;„), 

n > 1, such that vq = w, A4, Vn \^ p and a sequence ~a £ TZf{a.P) that matches 
this path. Now, by the first and second equalities in theorem 31 there is a 
sequence (3 £ TZf{P) such that ~a — a. P . (5 matches the path (wi, . . . , t;„), 
which implies that M.,vi Ih {P)p. Besides that, a matches the path {vq.vi), 
which implies that M,w\\- {a){P)p. Thus, {a.P)p — > {a){P)p is valid. 

(4=) This proof is entirely analogous to the previous one, using the second 
equality in theorem H] in the reverse direction. □ 

Now it is possible to see why, as stated in the previous section, the use of the 
null process in our logics would be inconvenient. The problems that would 
appear come from the fact that, as described in ^2j, in a specification of the 
form a.O, is denoting a process that has successfully terminated, while in a 
specification of the form P + 0, is denoting a deadlocked process. This double 
role cannot be kept in our logics without sacrificing a very desirable property 
in a dynamic logic: the compositional semantics, illustrated in theorem [H 

The compositional semantics is a direct consequence of the set equalities in 
theorem m But when we try to keep them in the presence of 0, some problems 
arise. TZf{a.Q) = {a}, since denotes successful termination in this case (if 
denoted a deadlock, then Tlf{a.Q) would be 0), and ^(P + 0) = ^(f), 
since denotes a deadlock in this case (if denoted successful termination, 
then Tlf{P + 0) would be TZf{P) U {^}). To keep the second equality in 
theoremUl we must have {a} = TZf{a.O) — TZf{a) o TZf{0), which implies that 
7?./(0) = {^} (*). On the other hand, to keep the third equality, we must have 
TZ}{P) = TZ}{P + 0) = Tl}{P) U n}{0), which implies that %(0) = (**). 

In the logical formalism, by theorem [5l (*) would imply that {0)(f> is se- 
mantically equivalent to (f>, while (**) would imply that (0)0 is semantically 
equivalent to _L. The crucial point in this situation is that we would have to 
either abandon at least one of the equalities in theorem HI substituting it by 
a pair of equations, one for the case where P 7^ and the other for the case 
where P = 0, or to somehow change the semantics so that the meaning of a 
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subformula of the form {0)(j) will depend on the context in which it is inserted, 
being sometimes equivalent to (f> and sometimes to _L. Both "solutions" would 
seriously compromise the compositionality of the semantics. 

We address this issue of the null process in our third logic, without intro- 
ducing any of the above problems. There, we redefine the process so that it 
denotes only a deadlocked process, while defining a new way to denote termi- 
nation. 

3.2 Axiomatic System 

We consider the following set of axioms and rules, where p and q are proposition 
symbols and f and '0 are formulas. 

(PL) Enough propositional logic tautologies 

(K) h [P]{p^q)^{[P]p^ [P]q) 

(Du) h [P]p^^{P)^p 

(Pr) h {a.P)p ^ {a){P)p 

(NC) h (Pi + P2>P ^ {Pi)p V {P2)p 

(PC) If EL can be applied to P, then h {P)p ^ {Exp{P))p 

(Sub) If h then h if"^ where a uniformly substitutes proposition symbols 
by arbitrary formulas. 

(MP) If h V3 and h 93 ^ V, then h ip. 

(Gen) If h ip, then h [P]Lp. 

It is important to notice that the theorems h (Pi + P2)p ^ (P2 + Pi)p and 
h (Pi|P2)p ^ (P2|Pi)p, which state the commutativity of the + and | operators, 
are derivable from the axiomatic system above. 

The axioms (PL), (K) and (Du) and the rules (Sub), (MP) and (Gen) 
are standard in the modal logic literature. The soundness of (Pr) and (NC) 
follows directly from the set equalities in theorem [4] and from definition 1171 as 
shown in theorem [51 Finally, the soundness of (PC) follows from theorem [1] 
and corollary [T] 

The above axiomatic system is also complete with respect to the class of 
sCCS-PDL frames and the logic has the finite model property. We omit the 
proofs here, because they are analogous to the proofs presented in section HI 
where constants are added to the language. 

4 CCS-PDL 

The logic presented in this section uses the same CCS operators as in the previ- 
ous section plus constants. This is the CCS-PDL logic. Our goal in this section 
is to build an axiomatic system for CCS-PDL and prove its completeness. 
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4.1 Language and Semantics 

In this section, we present the syntax and semantics of CCS-PDL. 

Definition 18. The CCS-PDL language consists of a set $ of countably many 
proposition symbols, a set TV of countably many names, the silent action t, the 
boolean connectives ^ and A, the CCS operators ., + and \, a set C of countably 
many constants, such that each element of C has its unique correspondent defin- 
ing equation, and a modality (P) for every process P. The formulas are defined 
as follows: 

ip -.-.^ p \ T \ ^ip \ ipi A ip2 \ {P)ip, with P::=a\ a.P \ a.A | Pi + P2 | P1IP2, 
where pe<i>, aeTVuATu {r} and A<E C. 

The presence of constants in the language allows us to write specifica- 

tions that are capable of iteration, as P = a.A, with A = a.A + t. How- 
ever, constants have a much greater power than just expressing iterative be- 
haviours. With constants, we are able to write self-replicating specifications, as 

def 

P = ((r.yl) + r)|(3, with ^ — {{t.A) + t)\Q. After the execution of n r-actions, 
P is capable of behaving as n Q-processes in parallel, for any n g N. 

The example above is a very simple example of self-replication and it is 
easy to see that things can get very complex if we start nesting self-replicating 
processes. 

In order to keep the logic simple, that is, keep the simple Kripke semantics, 
the finite model property and a simple and complete axiomatization, we restrict 
the use of constants in CCS-PDL in order to prevent self-replicating processes 
(in [S], Dam enforces a similar syntactic restriction, also to prevent unbounded 
process growth). The issue of whether it is possible to keep these desirable 
properties of the logic in the presence of replication remains an open problem 
and we defer it to a future work, as explained in section [SI 

Definition 19. Let P be a process and {Ai, . . . , An} be the constants that 
occur in P. We define Cons{P) as the smallest set of constants such that 
Cons{P) 3 {Ai, . . . , An} and, for every constant Ai £ Cons(P), if Ak occurs 
in PAi, then Ak G Cons(P). 

Restriction 1. We make the following restrictions to processes in CCS-PDL: 
L Cons(P) must be a finite set for every process P; 

2. We only allow defining equations that fit into one of the following models: 

def 

• A = Pa, where A ^ Cons{PA) , called non-recursive equations; 

• A — a I.A+. . .+ a u-A + Ta, where A ^ Cons{TA) , called recursive 
equations. 

The set equalities from theorem |^ remains valid, along with the equality 

nfia.A)^Tlj{a)onfiPA), (1) 
which also follows from table m 
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However, due to the possibility of iterative behaviours, some set equahties 
may present themselves as recursive equations. In these cases, it is possible to 
obtain an equivalent non- recursive equality. First, the recursive equation can be 
rewritten, using the set equalities in theorem H] and equation ([T]) , as TZf (P) — 
n}{P') o %(P) U n}iQ), where is not a function of ^(F). Now, as 

all sequences in TZf{P), TZf{P') and TZf{Q) are finite and ^ ^ TZf{P'), we may 
use a result known as Arden's Rule, that states that if X, A and B are sets of 
finite strings and the empty string is not in A, then the equation X ^ Ao X U B 
has as its unique solution X = A* o B Thus, n}{P) = n}*{P') o n}{Q). 

Definition 20. We say that a process P is a knot process if P = Pa for some 
constant A with a recursive defining equation or if P = Pi \ P2 where Pi or P2 
is a knot process. Otherwise, we say that P is a non-knot process. 

Definition 21. We call a non-empty sequence of actions ~a a loop of a knot 
process P if P ^ P. We say that ~a is a proper loop if~a is a loop and there 
is no P CZ ~a , with ~a = f3 . X , such that (3 and A are loops of P. The set of 
loops of P is denoted by Lo{P) and the set of proper loops of P is denoted by 
PLo{P). 

Theorem 6. 7? e Lo{P) if and only if ~a = al. ■ ■ ■ .a^, n > 1, where al £ 
PLo{P), for all i e {1, . . . 

Proof. The proof is straightforward from definition 1211 □ 

Definition 22. We call a sequence of actions ~a a breaker of a knot process 
P if there is no [3 such that ~a <Z [3 and (3 is a loop. We say that ~a is a 
proper breaker if ~a is a breaker and there is no [3 C ~a , with ~a = (3 .X , 
such that (3 is a loop and X is a breaker. Finally, we say that ~a is a minimal 
proper breaker if~a is a proper breaker and there is no (3 Gly such that (3 is a 
proper breaker. The set of breakers of P is denoted by Br{P), the set of proper 
breakers of P is denoted by PBr(P) and the set of minimal proper breakers of 
P is denoted by MPBr{P). 

Theorem 7. ~a £ PBr{P) if and only if~a = (3 .X , where (3 £ MPBr{P). 

Proof. The proof is straightforward from definition [521 D 

Using the concepts of loops and breakers, we can split a knot process P into 
two parts: the looping part, denoted by Lp, and the tail part, denoted by Tp. 



Lp = ^{"a : 'a £ PLo{P)}. 



and 



Tp = ^{a.P' : "a £ MPBr{P) and P ^ P'} 
Theorem 8. If P is a knot process, then TZf{P) ^ TZf* (Lp) o TZf(Tp). 

Proof We show that TZf{P) = TZ^iLp) o Tz}{P) (J Tz}{Tp). The result then 
follows from Arden's Rule pLj, since ~e ^TZf{Lp). 
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U~a e TZfiLp) o 7^/(P), then "a = /3 . A , where f3 e 7^/(Lp) and A G 
7^^(P). Then, P A P and P A y/, which implies that P A y/. Thus, "a G 
7?^(P). If "a G n^iTp), then "a = ^ .~\ , where P A P' and P' 4> V= which 
implies that P 4 Thus, "a G 7?r)^(P). This proves that Tlj{Lp) o Tlf{P) U 
^(Tp) C g(P). 

If c? G Tlf{P), then we have two cases: 

1. There is /? C c?, with 7? = /3 . A , such that /3 is a loop. Then, by 
theorem H /3 = /3i./32, where /3i G PLo{P). This means that /3i G 

TZf{Lp). If we make 7* = /32- A , then "a = 7^ and P ^ Thus, 
7^ G ^(P) and "a G TZ}{Lp) o %(P). 

2. There is no /3 C o^, with ~a ~ /? ■ A , such that /3 is a loop. This implies 
that, for all ^ C "a , 73 G PBr{P). Then, by theorem / = Z^-/?^, 
where /3i G M P Br{P) . If we make 7^ = /32- A , then ~a — ■ This 

means that, if P 4 P', then P' ^ 7. Thus, "a G TlfiTp). 

This proves that 7?r)^(P) C Tz}{Lp) o 7?^(P) U n}{Tp). □ 
We also define the process L'p, that is capable of iterating Lp. 

L'p = ^{a.Zp : 'a G PLo{P)} + Lp, 

def 

where Zp is a new constant with defining equation Zp = L'p. 

The notions of frame, model and satisfaction are defined analogously to 
definitions \TE[ \W\ and [T71 It is not difficult to see that theorem [3] and corollary 
[1] remain vahd in CCS-PDL. 

4.2 Axiomatic System 

The axiomatic system is similar to the one presented in section [221 We consider 
the following set of axioms and rules, where p, q and r are proposition symbols 
and if and ip are formulas. 

• The axioms (PL), (K) and (Du) and the rules (Sub), (MP) and (Gen). 

• Axioms for knot processes: 

(Rec) h {P)p^ {Tp)pV {Lp){P)p 

(FP) h (r ^ ([rp]-p A [ip]r)) A [P'p](r ^ {[Tp]^p A [Lp]r)) ^ {r ^ 

[Php) 

• Axioms for non-knot processes: 

(sCCS) The axioms (Pr), (NC) and the rule (PC). 
(Cons) h {a.A)p ^ {a){PA)p 
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The proof of soundness is analogous to the proof of soundness for sCCS-PDL. 
The soundness of (Rec) and (FP) follows from theorems H] and [31 The axiom 
(FP) may seem strange at first, but it is just an adaptation of the so-called 
induction axiom to our particular situation. The soundness of (Cons) follows 
from equation ([1]) and theorem [3l 

Theorem 9 (Completeness). Every consistent formula is satisfiable in a finite 
CCS-PDL model. 

Proof. The proof is presented in the appendix [SI D 

5 XCCS-PDL 

As it was shown in section [3l the use of the null process of CCS in our 
first two logics would bring a serious inconvenience to their semantics: their 
compositionality would be compromised. This problem also affect our ability 
to include the restriction operator in these logics. Besides that, in CCS-PDL, 
we have to define two distinct sets of axioms, depending on whether the process 
under consideration is a knot process or not. 

In this section, our goal is to solve these two problems that occur in the 
previous logics. In order to accomplish this, first we extend the language of 
CCS with new operators and a new type of action and slightly redefine its 
semantics. We call this new process algebra extended CCS or XCCS. Then, we 
define a dynamic logic in which the programs are XCCS processes (XCCS-PDL). 
Because of the refined definition of the null process in XCCS, we can include 
it in this logic, as well as the restriction operator. Besides that, one of the new 
operators of XCCS, the iteration operator, allows us to deal with all sorts of 
processes with just one set of axioms and to also drop the constants and all its 
elaborated theory from the language. 

5.1 XCCS 

In CCS, we have the set of actions ^ = TV U A/" U {r}. In XCCS, we denote 
this set of actions as Ar^ the set of running actions. In XCCS, we have an 
extra action, besides the ones in Ar, called the ending action and denoted by 
END. A process in XCCS can only successfully finish after performing the 
action END and it always successfully finishes after performing such action. If 
a process cannot perform any running action and cannot successfully finish, it 
is called a deadlocked process. 

Definition 23. In XCCS, process specifications can he built using the following 
operations: 

P ::=0\ END \ a.P \ A; P2 | -Pi + P2 | Pi\P2 \ P* \ P\L, 

with 

a ::= a | a | r, 

where a G A/" and L C A/". 

is the null process. It is a deadlocked process, since it is incapable of per- 
forming any running action and of successfully finishing. END is process that 
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Table 2: Transition Relations of XCCS 



a.P^P 




END ^ 


P^P' 




P:Q^P':Q 


P;QAQ' 


p-^p' 


Q^Q' 


p^pi 




P^P'.Q^Q' 


P+Q^P' 


P+Q-^Q' 


P\Q^P'\Q 


P\Q-^P\Q' 


P\Q^P'\Q' 


P^P' 


P^P' ,a^LuL 


P^^^V.Q^^^V 








P\L^P'\L 


P;Q^^\/ 


P+Q^^"J 


P+Q^^°./ 

















is incapable of performing any running action, but it is capable of successfully 
finishing. The sequential composition operator (;) denotes that the process will 
first behave as Pi and if and when Pi successfully terminates, it will proceed 
behaving as P2- The iteration operator (*) denotes that the process P is capable 
of being iterated zero or more times. In table [U we present the semantics for 
the XCCS operators. 

From table [H it is not difficult to see that now the null process denotes 
only a deadlocked process. As explained in section [21 the situation in standard 
CCS is different, since there, in a specification of the form a.O, is denoting a 
process that has successfully terminated. This is no longer the case. In XCCS, 
a specification of the form a.O denotes that a process performs the action a and 
then deadlocks, while a specification of the form a. END denotes that a process 
performs the action a and then successfully terminates. This slight extension 
of the language allows for the null process and for the restriction operator to 
be used in our third logic without compromising the compositionality of its 
semantics. 

In [T2] and [T^] , Milner uses a clever syntactic construction to define a form 
of sequential composition. It is slightly different to the form presented in table 
[5] and it is not a primitive operator. He also uses the notation ; for it, but we 
denote his construction with a : instead, so we can easily differentiate between 
his and our constructions. Milner's construction depends on a number of things. 
First, we must consider a new name z ^ J\f. Second, every process must perform 
the action z as its last action before termination and may not perform z or z at 
any other point of execution. Third, we must perform syntactic substitutions of 
names in processes, where P[b/a\ denotes the substitution of every occurrence 
of a (a) in P by & (b) . Then, sequential composition is defined in the following 
way: 

P:Q= iP[a/z] I a.Q)\{a}, 

where a must be a name that does not occur in neither P nor Q. 

The main difference between the two forms of sequential composition is that, 
as tables [Hand [2 easily show, Tlf{P;Q) = Tl}{P) o while %(P : Q) = 

7?./(P) o {r} o TZf{Q). The extra t would also be present in the finite runs of 
a process P*, as we use sequential composition to define the semantics of the 
iteration operator (table [1]). These extra r's appearing between the finite runs 
of the subprocesses would be a complication to the semantics of our logic, as 
some intuitive validities, such as {A){B)(f {A;B)lp, would be false. Since we 
are already introducing the END process to solve the previous problems with 
the null process, there is no reason why we should not also use it to build a 
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simpler and more convenient form of sequential composition and a simple form 
of iteration, as it is done in table [2] 

Now, we need to make slight adjustments to the notion of strong bisimulation 
and to the Expansion Law. 

Definition 24. Let V be the set of all possible process specifications. A set 
Z (ZV X V is a strong bisimulation if (P, Q) G Z implies, for all a G Ar, 

• If P P' and P' £ V, then there is Q' ^ V such that Q ^ Q' and 
{P',Q')^Z; 

• If Q Q' and Q' £ V , then there is P' £ V such that P ^ P' and 

{P',Q')eZ; 

and 

„ END I .f , , f ^ END I 

• P — !■ V z/ ana only ij Q ^ . 

The definition of strong bisimilarity is analogous to definition [71 using the 
new notion of strong bisimulation stated above. 

In the presence of the iteration operator, a weaker version of the Expansion 
Law is now sufficient for our needs. 

Theorem 10 (Expansion Law (EL)). Let P = Pi | P^, where P is unrestricted 
and I does not occur in P\ and Pj. Then 

P- J2 "■(^n^2)+ E /3-(^il^2)+ E ^-R + Ep, 

Pl^P[ P2^Pi 

where Ar = {{P{ \ P^) : Pi A P{ and P2 ^ P^, for some a G TV} U {(Pi' | 
P^) : Pi ^ Pi' and P2 ^ P2, for some a G TV} and Ep = END, if Pi ^ 
and P2 ^ or Ep = 0, otherwise. Again, we denote the right side of this 

bisimilarity by Exp{P). 

Finally, because of the presence of the action END, we need to slightly 
adjust the definition of the composition P o of two sets R and S of finite 
sequences of actions. 

Definition 25. Let 1](7?) = A , if 'a = A .END and l^Ca) — 1$ , otherwise. 
Then, 

RoS = {[](■«)./ : "a G P and ^ G 5} 

Now, we define some concepts that are useful to the axiomatization of our 
third logic. 

Definition 26. We say that a relation = between processes is a congruence if 
it is an equivalence relation and it is preserved by all of XCCS operators, that 
is, if P = Q, then a.P = a.Q, P + R = Q + R and so on. 

Definition 27. A syntactic substitution of a restricted name by a fresh name 
(a name that does not occur in the process .specification) in a restriction set L 
and in every occurrence of the name in the scope of the correspondent restriction 
\L is called an alpha conversion. 
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Definition 28. Restriction congruence, or r-congruence, denoted by =r, is a 
relation between processes defined by the following set of axioms and rules, where 
n{P) denotes the set of names that occur in P as part of both input and output 
actions. 

1. It is a congruence; 7. {P;Q)\L =r {P\L): {Q\L); 

2. It is closed under alpha conver- 8. {P + Q)\L =r {P\L) + {Q\L); 
sion; 



3. 0\L =r 0; 

4. END\L =r END; 



9. If n{P) n (L U L) = 0, P\{Q\L) 
=r {P\Q)\L; 

10. {P*)\L=r {P\Ly; 



5. If a ^ L \J L, {a.P)\L =r 

a.{P\L); 11- P\L\M P\{L U M); 

6. IfaeLUL, {a.P)\L=rO; 12. If n{P)r\{L\SL) = ^, P\L =r P . 

Definition 29. We say that a process is in r-external form if it has the form 
P\L, where P is unrestricted. 

Theorem 11. Every process is r- congruent to a process in r-external form 
and every process with no occurrences of the \ operator is r- congruent to an 
unrestricted process. 

Proof. The proof follows from definition [251 CIl 
Theorem 12. If P =r Q, then P ^Q. 

Proof. The proof follows from table [2] and definition [7] □ 
5.2 Language and Semantics 

In this section, we present the syntax and semantics of XCCS-PDL. 

Definition 30. The XCCS-PDL language consists of a set $ of countably many 
proposition symbols, a set TV of countably many names, the silent action t , the 
ending action END, the boolean connectives ^ and A, the XCCS operators ., 
+, I, * and \, a modality {a) for every a € A/" U A/" U {t} and a modality (P) 
for every process P, including the atomic processes and END. The formulas 
are defined as follows: 

ip :■■= p \ T \ ^ip \ ipi A ip2 \ {a)ip \ {P)(p, 

with 

P ::= I END \ a.P \ Pi; P2 \ Pi + P2 \ Pi\P2 \ P* \ P\L, 
where p e ^, a e M dJ7 U {t} and L <Z M . 

Definition 31. A frame for XCCS-PDL is a tuple T — (VF, {Ra\^ Rend) where 

• W is a non-empty set of states; 

• Ra, for each a E Af Uj\f U {r} and Rend o,re the basic binary relations, 
where Rend — {iw,w) ■ w G W}. 
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The notion of model is defined analogously to definition [11] We define the 
semantical notion of satisfaction for XCCS-PDL as follows: 

Definition 32. Let Ai — V) be a model. The notion of satisfaction of a 

formula ip in a model M. at a state w, notation A4,w Ih ip, can be inductively 
defined as follows: 

• M,w \\- p iff w e V(p); 

• A4,w \^ T always; 

• M,w II — 'If iff M,w 1/ Lp; 

• M,w \'t ipi /\ ip2 *if A^, w Ih (^1 and Ai,w\\- ip2; 

• M.,w Ih {a)^p iff there is w' £W such that wRaw' and M,w' Ih if, where 
a G A/'UiVU {r}; 

• A4,w Ih {P)ip iff there is a finite path {vq,vi, . . . , 7j„), n > 1, such that 
vq ~ w, A4,Vn Ih (fi and there is ~a £ TZf{P) of length n such that 

e Rf3 if and only if {a)i — (3, for 1 < i < n. We say that 
such a matches the path (vq, . . . , w„). 

It is not difficult to see that theorem [3] and corollary [1] remain valid in 
XCCS-PDL. 

Theorem 13. The following set equalities are true: 

1. nf{0)^%; 7.nf{Pi\P2) = U{^(«l?) : 

2. n.iEND) = {END}; " ^ ^^^^^ ^ ^ 

3. TZfia.P) ^TZf{a)oTz}{P); ^- V T^fi^)^ T^fiQ), then u} 

^ {P\L)^nf{Q\L); 

I 7^/(Pl;P2) = 7^/(Pl)o7^/(P2); 

TTTrp^P^ fTiPM^fTiP^ 9.ifnfiP)^nfiA)onfiP)u 

5. 7^/(Pl+P2) =%(Pi)U%(P2); ^ j^Arn ^ ^ f a\ -fh 

7c/(i3) and END f. 7c/(A), then 

6. UfiP*) = UfiPy; UfiP) = UfiA)* o UfiB). 

Proof. The proof of the first eight items is straightforward from table [5] and 
theorem [5] The ninth item is Arden's Rule [T] applied in our context. □ 

5.3 Axiomatic System 

We consider the following set of axioms and rules, where p and q are proposition 
symbols and tp and -0 are formulas. 

(sCCS) The axioms (PL), (K), (Du), (Pr) and (NC) and the rules (PC), 
(Sub), (MP) and (Gen) 

(0) h-(0)p 

(END) h {END)p ^ p 
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(SC) h {P,;P2)p^ {Pi){P2)p 



(Rec) h {P*)p ^ pV {P){P*)p 



(FP) hpA[P*]ip^[P]p)^[P*]p 



(PCSub) If h {P)p <-> (g)p, then h (P|i?>p ^ 



(RSub) If h {P)p ^ {Q)p, then h {P\L)p ^ 



{Q\L)p 



END 



(Ard) If h (P>p ^ (A; P + B)p and A ^, then h (P)p ^ (A*; P)p 
(Con) If P =r Q, then h (P)p ^ (g)p 

The proof of soundness is analogous to the proof of soundness for sCCS- 
PDL and CCS-PDL. The axioms (PL), (K) and (Du) and the rules (Sub), 
(MP) and (Gen) are standard in the modal logic literature. The soundness of 
(Pr), (NC), (0), (SC), (Rec), (FP), (PCSub), (RSub) and (Ard) follows 
from the set equalities in theorem fT51 and theorem [3] The soundness of (END) 
also follows from the two previous results with the help of definition [BT] The 
soundness of (PC) and (Con) follows from theorems ITOl and [T2l with the help 
of corollary [TJ The only rule that may require special attention is (PCSub). 

Theorem 14. The rule (PCSub) is sound. 

Proof. By theorem [HI Tlf{Pi\P2) = UI^CalT?) : e Tlf{Pi) and ^3 e 
TZf{P2)}. Now, suppose that Ih {P)p ^ {Q)p, but 1/ {P\R)p ^ {Q\R)p. Then, 
by theorem H ^(P) = Tlf[Q), but Tlf{P\R) ^ Tl}{Q\R). We may assume, 
without loss of generality, that there is A such that A G TZf{P\R) (*), but 
a" ^ Tlf{Q\R) (**). (*) implies that there is "a € 7?7(P) and ^ G %(P) such 
that A* e ^("a 1^). But then a" G TZjiQ), which implies that a" G Tlf{Q\R), 
contradicting (**). □ 

Definition 33. We define the following relation between processes: P ^ Q iff 
h {P)p^{Q)p. 

Theorem 15. ^ is a congruence. 

Proof. This relation is clearly an equivalence relation and the axioms (Pr), 
(SC), (NC), (Rec) and (FP) and the rules (PCSub) and (RSub) enforce 
the preservation results needed to satisfy definition [211 □ 

Definition 34. Let = {Pi, . . . , P^} be a set of processes such that Pi Pj, 
ifi ^ j. Let Eiflk) = {Ei,...,Ek} such that E, = (P^,T,), P^ ^ T„ T, = 
and, for all [i,]), A* has no occurrence of \. We say that E{flk) is 
closed if, for all {i,j), Qj G ilk- 

Theorem 16. Let P = Pi | P2, where P is unrestricted. Then P P , where 
P has no occurrence of the \ operator. 
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Proof. The proof is by induction on the number n of occurrences of the | operator 
in P. If n = 0, then P = P and there is nothing to be done. 

If n = 1, then EL can be apphed to P. Then, we can use (PC) to build pairs 
{Pi,Ti) that satisfy definition [Ml Let Pi ^ P and flk be the smallest set such 
that Pi G flk and -E(f2fc) is closed. It is not difficult to see that such set always 
exist. Take the pair Ek- If there is no Q'^ = Pk (*), then we can substitute in 
the processes T^, 1 < z < A:, all the occurrences of Pk by T^. Otherwise, we can 
use (Ard) to substitute the pair {Pk,Tk) by a pair {Pk,Tl.) where (*) holds and 
then proceed as in the previous case. We then continue this process with the 
pair Ek-i and so on, mitil we finally get a pair (Pi,T{) such that no process 
in rife occurs in T[. By the use of (PC) to build the initial pairs and the fact 
that neither (Ard) nor the substitution process introduce new | operators, we 
have P = r{. This method, based on the solution of a "system of equations", 
was inspired by Brzozowski's algebraic method to obtain the regular expression 
that describes the language accepted by a finite automaton ^ . 

Suppose that the theorem is true for all n < k. Let P have k occurrences of 
|. As P = P1IP2, we can obtain P as P[\P^. □ 

Two formulas (j) and ip are equi-consistent if h <-> "i/;. By soundness, if (f> 
and ■(/' are equi-consistent, then they are also semantically equivalent. 

Theorem 17 (Completeness). Every consistent formula is satisfiahle in a finite 
XCCS-PDL model. 

Proof. Let (ys be a consistent formula and let 'P{^p) be the set of processes that 
appear in Lp. For all P £ P(</?), we can use (Con), (RSub) and theorems [TTlfTSl 
and[Tn]to get a sequence P <-> P' <-> P" P'", where P' is r-external form, P" is 
also without any occurrence of the | operator and P'" is like P" but unrestricted. 
We can then obtain an equi-consistent formula ip' — Lp[P"' /P,P G P(<<2)] in 
which the only XCCS operators that appear are and *. The axioms that 

deal with all of these operators are analogous to the axioms that deal with the 
operators in standard PDL. (Pr) and (SC) are analogous to the axiom of the 
PDL ; operator, (NC) is analogous to the axiom of the PDL U operator and 
(Rec) and (FP) are analogous to the axioms of the PDL * operator. Thus, we 
can follow the completeness proof of standard PDL (the PDL axioms and its 
completeness proof are presented in details in [3]), treating the actions as basic 
PDL programs, to show that cp' is satisfiable in a finite model. As (p and ip' 
are equi-consistent, they are also semantically equivalent, which means that tp 
is also satisfied in that same finite model. □ 

6 Final Remarks and Future Work 

In this work, we present three increasingly expressive Dynamic Logics in which 
the programs are CCS terms (sCCS-PDL, CCS-PDL and XCCS-PDL). We pro- 
vide a simple Kripke semantics for them, based on the idea of finite possible 
runs of processes, and also give complete axiomatizations for these logics. We 
prove the completeness of the axiomatic systems and the finite model property 
for the logics using a Fischer-Ladner construction. 

We also provide a method, in a language with a iteration (*) and sequential 
composition (;) operators, to rewrite any process specification to a form without 
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the parallel composition operator (|) while preserving the set of finite possible 
runs of the process. This method is based on Brzozowski's algorithm to find the 
regular expression that corresponds to a finite automaton |4j . We feel that this is 
an interesting and original application of Brzozowski's idea and that it provides 
an elegant proof to a key result to the completeness of our last axiomatization. 

As a continuation of this work, it would be interesting to study the com- 
plexity of the satisfiability problem for these logics, possibly relating it to the 
satisfiability problem for standard PDL. It would also be interesting to develop 
an automatic theorem prover for these logics. This would involve, among other 
things, an efficient algorithmic method to deal with the expansion of paral- 
lel processes and, in the particular case of CCS-PDL, an efficient algorithmic 
method to determine the processes Lp and Tp related to a knot process P. 

We would also like to investigate an extension of these logics for 7r-Calculus 
processes |13] . in which the acts of communications are more complex than 
in CCS. The 7r-Calculus is a very powerful process algebra that is able to de- 
scribe not only non-determinism and concurrency, but also mobility of processes 
and that can also be used to encode some powerful programming paradigms, 
as object-oriented programming and functional programming (A-Calculus) ^1^ . 
Besides that, the 7r-Calculus has a specific operator to denote that a process has 
the ability to self-replicate, so this could be an interesting context to analyze 
in more depth the issue of self-replicating processes, which was left out of the 
present work. 
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A Completeness Proof for CCS-PDL 

Definition 35. Let (j) be a formula. We define the formula (j) as (j) = tp, if 

(j) = -^tjj^ or <p = -^(j), otherwise. 

Definition 36 (Fischer-Ladner Closure). Let T be a set of formulas. The 
Fischer-Ladner Closure ofT, notation C{T), is the smallest set of formulas 
that contains F and satisfies the following conditions: 

• C(r) is closed under sub-formulas; 

• if(f)eC{T), then'^€C{T); 

• For knot processes: 

- If {P)ip e C{T), then {Tp)ip V {Lp){P)ip e C(r). 

• For non-knot processes: 

- If{a.P)ip e C(r), then {a){P)ip e C{T); 

- If (a.A)^ e C{r), then {a){PA)^ € C(r); 

- // (Pi + P2)v e C(r), then {P^)ip V (P2)V e C(r); 

- //(Pi I P2W e C{T), then \Jp^j^p,{a){P[ \ P^W^ N p,^p.{(^){Pi I 

^>vV,.,,(r)(P{ |P>eC(r). 
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It is not difficult to prove that if T is finite, then the closure C(r) is also 
finite. We assume F to be finite from now on. 



Definition 37. A set of formulas A is said to be an atom over T if it is a 
maximal consistent subset of C{T). The set of all atoms over T is denoted by 
At{r). We denote the conjunction of all the formulas in an atom A as /\A. 

Lemma 2. Every atom A G At{T) has the following properties: 

1. For every (j) G C(T), exactly one of (f> and -^(j) belongs to A. 

2. For every 4>Aip€ C{T), (j)A%l^&Aiff4>eA and ijj € A. 

Proof. This follows immediately from the definition of atoms as maximal con- 
sistent subsets of C(r). □ 

Lemma 3. //AC C{T) and A is consistent then there exists an atom A G 
At{T) such that AC A. 

Proof. We can construct the atom A as follows. First, we enumerate the ele- 
ments of C(r) as ... ,4>n- Wc start the construction making = A. Then, 
for < i < n, we know that /\Ai ^ {/\AiA 0i+i) V {/\AiA is a tautology 
and therefore either Ai U {<?i>i+i} or Ai U {4'i+i} is consistent. We take Ai+i as 
the consistent extension. At the end, we make A = An- □ 

Corollary 2. If if & C{r) is a consistent formula, then there is an atom A G 

At(T) such that (p G A. 

Definition 38 (Canonical model over F). Let T be a finite set of formulas. 
The canonical model over F is the tuple = {At{r),{Sa},V) where, for 
all elements p G ^, we have V(p) = {A G At{r) \ p G A} and for all atoms 



V is called the canonical valuation and Sa the canonical relations, where a is 
a CCS action. 

p 

Definition 39. We write A ^ B if and only if /\A A (P) /\B is consistent. 
We also write Sp = {{A,B) : A ^ B}. 

Lemma 4 (Existence Lemma for Basic Processes). Let A be an atom and let 
a be an action. Then, for all formulas {a)(j) G C(F), {a)(j) G A iff there is a 
B G At{T) such that ASaB and (pG B. 

Proof. (=4>) Suppose {a)(l) G A. Wo can build an appropriate atom B by forcing 
choices. Enumerate the formulas in C(F) as Define Bq = {0}- 

Suppose, as an inductive hypothesis that Bm is defined such that /\ (a) /\ Bm 
is consistent, for < m < n. We have that 



A,BGAt{r), 




h {a)/\Bm^{a){{/\BmA<Pm+l)^{/\BmA<l>m+l)) 



thus 



h {a) /\Bm^ {{a) (/\ B„ A <^„+i) V (a) (/\ B 

m 
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Therefore, either for B' = Bm U {4>m+i} or for B' = B,n U {(j)„i+i}, we have that 
/\AA {a) /\B' is consistent. We take Bm+i as the consistent extension. At the 
end, we make B — Bn- We have that <j) £ B and, as /\AA {a) /\B is consistent, 
ASaB, by definition EHl 

(-^): Suppose that there is an atom B such that (j> G B and ASaB. Then 
/\ A /\ (a) /\ B is consistent by definition [551 As (j) is one of the conjuncts of /\ B, 
/\A/\ {a)<j) is also consistent. As {o)(p is in C(r), it must also be in A, since A 
is a maximal consistent subset of C(r). □ 

Lemma 5. For all knot processes P, Sp C S'p, where S'p = S^^ o Stp- 

Proof. For an atom B G At{T) and a relation S', we denote the set of atoms 
{A I ASB} as {S)B. Suppose there are two atoms A,B £ At{T) such that 
A e {Sp)B, but ^ (S'^)6. Let F =JC G Ai(r) | C G {Sp)B but C ^ 
U {C G At(r) I C ^ {Sp)B} and y = ylt(r) \V = {C e At(T) \ C G 
{Sp)B and C G (5^,)^}. Thus, A e V. Let r = V{AC | C G V"}. It is not 
difficult to see that ^r = \/{/\C \ C eV}. 

First, we have that h r ~> [Tp]^ /\B. Otherwise, ^(r [Tp]^/\B) = 
r A (Tp) /\B is consistent. This means that there is G such that /\A' /\ 
(Tp) /\B is consistent. On one hand, this implies, by (Rec), that /\ A' /\{P) /\ B 
is consistent, which means that A' G {Sp)B. On the other hand, it implies that 
A' StpB, which means that A' G {S'p)B. These two conclusions contradict the 
fact that A' £V. 

Second, we also have that h r ^ [-^p]^- Otherwise, ^(r [Lp]r) = r A 
{Lp)^r is consistent. This means that there are A' G V and B' G V such 
that A -4' A (Lp) A B' is consistent, which impHes that A'SlpB'. Since B' G V, 
B'SpB and B'S'pB. On one hand, A!SlpB' and B' S'pB imply that A' S'pB (*). 
On the other hand, A'SlpB' and B'SpB imply that l\A' h {Lp){P) f\B is 
consistent, which, by (Rec), implies that A-^' ^ (P) is consistent, which 
means that A'SpB (**). The conclusions in (*) and (**) contradict the fact 
that A' GV. 

Taking these two results together, we conclude that h r — > {[Tp]^ /\B A 
[Lp]r). By (Gen), (PL), (FP) and (MP), h r ^ [P]^/\B. But, a.sAGV,h- 
l\A^ r, which means that h A ^ ^ [P]^ /\B. This impfies that A A/\ (P) A ^ 
is inconsistent, contradicting the fact that ASpB. Thus, there cannot be a pair 
of atoms A,Bg At[T) such that A G {Sp)B, but A i {S'p)B. □ 

P 

Definition 40. We write A B if and only if there is a path in the canonical 
model starting in A and ending in B such that there is ~a G TZf{P) that matches 

it. We also write Rp = {{A,B) : A ^ B}. Finally, it also follows from this 
definition that ,A Ih {P)(p if and only if there is B such that {A,B) G Rp 
and M^, B Ih ip. 

Lemma 6. For all processes P, Sp C Rp. 

Proof. The proof is by induction on the structure of the process P. 

• If P is an action a, then the proof is straightforward. First, Tlf{P) = {a}. 
Now, if ASaB, then there is a path in the canonical model starting in A 
and ending in B such that there is ~a G Tlf{P) that matches it. Hence, 
ARaB is true as well. 
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• P is a non-knot process: 

— Suppose ASa.pB, that is, i'^-P) consistent. By (Pr), 
/\A A {a) (P) /\B is consistent as well. Using a "forcing choices" 
argument (as exemplified in lemma [3]), we can construct an atom C 
such that /\AA (a) /\C and /\C A {P) /\B are both consistent. But 
then, by the inductive hypothesis, ARaC and CRpB. It follows that 
ARa.pB as required. 

— Suppose ASoi.aB, that is, A^^^ {a. A) /\B is consistent. By (Cons), 
/\AA {a){PA) f\B is consistent as well. Using a "forcing choices" 
argument, we can construct an atom C such that /\A A (a) A C and 
AC A (Pa) /\B are both consistent. But then, by the inductive hy- 
pothesis, ARaC and CRpj^B. It follows that ARq.aB as required. 

— Suppose ASp^+p-,B, that is, A-^ ^ (-Pi + P2) AB is consistent. By 
(NC), A ^ {Pi) A is consistent or /\AA (P2) A is consistent. 
But then, by the inductive hypothesis, ARp^B or ARp^B. It follows 
that ARpj^+p^B as required. 

— Suppose ASp^\p^B, that is, A-^^ (^i I P2) is consistent. By 
(PC), A-^^ {'^){P') A'^ is consistent for some basic process a and 
some process P'. Using a "forcing choices" argument, we can con- 
struct an atom C such that A -^A (a) A C and /\CA{P') A B are both 
consistent. But then, by the inductive hypothesis, ARaC and CRp'B. 
It follows that ARa.p'B, which means that ARp-^ip^B as required. 

• Suppose ASpB, where P is a knot process. By lemma [5l Sp C S'p, 
where S'p = o Sxp- By the induction hypothesis, Slp Q Rlp and 
Stp C Rtp- This implies that S'p C Pp, which proves the result. 

□ 

Lemma 7 (Existence Lemma). For all atoms A G ^^(r) and all formulas 
{P)cj) e C(r), (P)0 €Aiff there is B € At{V) such that ARpB and (f>e B. 

Proof. (=>) Suppose {P)(j) G A. We can build an atom B such that (j) ^ B and 
ASpB by "forcing choices". But, by lemmaEl Sp C Pp, thus ARpB as well. 
(<J=) We proceed by induction on the structure of P. 

• The base case is just the Existence Lemma for basic processes. 

• P is a non-knot process: 

— Suppose P has the form a.P' , ARa.P'B and (f> E B. Thus, there 
is an atom C such that ARaC and CRp'B. By the Fischer-Ladner 
closure conditions, {P')4> G C{T), hence by the induction hypothesis, 
(P)0 G C. Similarly, as {a){P')(l) G C(r), {a){P')(j) G A. Hence, by 
(Pr), {a.P)(t> G A. 

— Suppose P has the form a. A, ARu.aB and (j> G B. Thus, there is an 
atom C such that ARaC, CRp^B and (j) & B. By the Fischer-Ladner 
closure conditions, {Pa)4' € C(r), hence by the induction hypothesis, 
(Pa)0 G C. Similarly, as {a){PA)4> G C{T), {a){PA)(t> G A. Hence, 
by (Cons), {a.A)4) G A. 
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— Suppose P has the form P1+P2, ARp^+p^B and (p e B. Thus, ARp^B 
or ARp^B. By the Fischer-Ladner closure conditions, {P2)4> G 
C(r), hence by the inductive hypothesis, {Pi)4> G ^ or {P2)(f> G A. 
Hence, by (NC), (Pi + Pa)^ e A. 

— Suppose P has the form Pi \ P2, ARp^^p^B and <j) ^ B. Thus, 
ARa.p'B for some process a and some process P'. Then, there is 
an atom C such that ARaC and CRp'B. By the Fischer-Ladner 
closure conditions, {a.P')<j), (a) {P')(f>, (P')<j) £ C{T), hence by the 
inductive hypothesis, {P)4> G C and {a){P')4) E A. Hence, by (Pr), 
{a.P)(j) e A and, by (PC), (Pi | Pa)^ € A. 

• Suppose P is a knot process, ARpB and cf) E B. Then, there is a finite 
sequence of atoms Co ■ ■ ■ Cn such that A = CqRlpCi . . . Cn-iRhpCnRTpB. 
We prove by a sub- induction on n that (P)^ G Ci, for all i. The desired 
result for A = Cq follows immediately. 

— Base case: n = 0. This means ARtpB. By the Fischer-Ladner 
closure conditions, {Tp)(f> g C(r), hence by the inductive hypothesis, 
{Tp)(t> e A. Hence, by (Rec), (P)0 e A. 

— Inductive step: Suppose the result holds for k < n, and that A = 
CqRlpCi . ■ . RlpCuRtpB. By the inductive hypothesis, {P)4> €E Ci. 
Hence {Lp){P)(j3 e A, as {Lp){P)(j} e C(r). By (Rec), we have 
that(P)0 e y^. 

□ 

Lemma 8 (Truth Lemma). Let = (y4t(r), {Sq,}, V) 6e t/ie canonical model 
over r. For all atoms A G ^^(r) o-nd all formulas Lp G C{T), ^A Ih Zjff 
Lp^A. 

Proof. The proof is by induction on the structure of the formula tp. 

• is a proposition symbol: The proof follows directly from the definition 
of V. 

m (p = -^ip ov <j) = ipi /\ Tp2'- The proof follows directly from lemma [H 
. 0= (P)V: 

(^) Suppose that ,A Ih {P)i>. Then, there exists A' £ such that 
ARpA' and A4^,A' Ih tp. By the induction hypothesis, we know that 
tp G A' and, by the Existence Lemma, we have that {P)ip S A. 

(-^) Suppose that (P)V' S A. Then, by the Existence Lemma, there is 
A' e A^'" such that ARpA' and V G -4'- By the induction hypothesis, 
M^,A' Ih V, which implies M^,A\\- {P)ip. 

□ 

Theorem 18 (Completeness). Every consistent formula is satisfiable in a finite 
CCS-PDL model. 
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Proof. Let </? be a consistent formula. Let C{ip) be its closure under the con- 
ditions of definition [211 As (p is consistent, by corollary [21 there is an atom 
A £ At{Lp) such that (p A. Let be the canonical model over ip. Then, by 
the Truth Lemma (lemma [S]), a.s ip E A, we conclude that Ai'^jA Ih (p, which 
proves the theorem. □ 
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